In the last 18 months alone, I’ve worked with projects ranging in size from 30 to nearly 500 team members implementing SAP solutions. One thing that all of these projects have in common is a need to manage project scope. Fortunately, SAP Solution Manager has some tools to help with this. In addition to the Business Process Hierarchy (BPH) found in transaction SOLAR01 (which is used to define the project scope), utilities contained in transaction SOLAR_EVAL evaluation reports can also help you see what has changed over time.

You might be wondering: What if you don’t want to take the “audit” or reactive approach to managing your scope? What if you would like to implement and systematically enforce change control for your project scope? If you use the techniques I describe in this article in conjunction with those I described in “Improve Document Management by Securing Attributes,” you can take charge of the changes taking place in your project scope.

The initial setup to allow you to take control of the changes in the BPH is not very complex and gives you a level of control over changes to the project scope that was not practical prior to the deployment of SAP Solution Manager. Before it was introduced, project scope was managed via spreadsheets and documentation was stored all over the place. Now you have a structured way to manage scope and store solution documentation for your projects with SAP Solution Manager.  

To set up the BPH change control, you use features from Project Administration (transaction SOLAR_PROJECT_ADMIN), SAP security features (transaction PFCG), and the Business Blueprint functionality in transaction SOLAR01.

Set the Stage 

First you need to tell SAP Solution Manager that you want to turn on BPH structure control. This is done in SOLAR_PROJECT_ADMIN by activating the BPH authorization engine and identifying the team member assigned to the project.

Steps to activate the BPH authorizations (Figure 1):

Step 1. Enter transaction SOLAR_PROJECT_ADMIN

Step 2. Double-click your project

Step 3. Click the Proj. Team Member tab

Step 4. Check off the check box next to Restrict changes to nodes in project to assigned team members. This activates an authorization check when a team member tries to change the BPH structure in transaction SOLAR01.

Figure 1

Activate security controls for the BPH structure

SAP Solution Manager uses a combination of project team assignments to the project, authorization objects assigned to the team member user profiles, and team member assignments to specific structure nodes to perform authorization checks. Now, before it becomes confusing that I’ve crossed three different maintenance areas in SAP Solution Manager in a single sentence, I’ll go through the set-up steps in order.

User Assignment to the Project

First, tell SAP Solution Manager which users should have access to which areas of BPH. Assuming that your team members already have SAP Solution Manager user profiles, you can begin enhancing their access controls to give project leadership control over BPH changes. Note that you should see your security team about creating the base user profile for team members. This setup is beyond the scope of this article. Additions to user profile configurations are covered in detail later in this section.

The first step is to assign all the team members to the project.

1. Enter transaction SOLAR_PROJECT_ADMIN
2. Double-click the project you wish to activate
3. Click the Proj. Team Member tab
4. Add the team members assigned to your projects manually (Figure 2)

Figure 2

Assign users to the project

Enhance a User’s Security Profile

There are many approaches to security profile and role maintenance. Use the information in this section to augment the processes and procedures your project has defined for performing user maintenance in SAP Solution Manager.

The key authorization objects used in enabling BPH change control include access to the Structure tab and the Administration tab in transaction SOLAR01. The users that will be authorized to change the project scope (at the structure node level — see my quick tip mentioned earlier, “Improve Document Management by Securing Attributes,” for more information on change control at the document level) need to have authorization object AI_SA_TAB in their user authorizations, with the field TABNAM = STRUCT and field ACTVT = 02. I’ll explain more on this process later in the article.

In addition, many projects use the Administration tab to manage work during the Blueprint phase because it has fields such as Status and Key Words, which you can use to navigate the BPH and monitor project progress. You don’t want to eliminate team members’ ability to use this tab, so you need to add it to the role. To do this you must assign authorization object AI_SA_TAB, field TABNAM = PRODATA, and field ACTVT = 02 to the team member’s role. Again, I’ll explain more about this later.

As a general rule, I prefer to use collections of single roles to fine-tune user access. Other security teams prefer the use of composite roles. You should follow the standards established by your team. For the remainder of this article, I’ll use the single role approach.

To enable a user to access the Structure and Administration tabs in SOLAR01, you can build a single role. This role only controls the structure and administration data access. I assume that access to SOLAR01 and other authorizations are already assigned to the users at this point. To build the role:      

Step 1. Enter transaction PFCG

Step 2. Enter a role name (e.g., Z:BPH_STRUC_MAIN)

Step 3. Click the Single Role button

Step 4. Enter the long text and role description (Figure 3)

Figure 3

Initial maintenance screen for creating the role for BPH structure maintenance

Step 5. Click the Authorizations tab. In this tab, click the propose profile name icon  (Figure 4). Alternatively, you can use your particular project standards to choose a profile name.

Figure 4

Profile name generation

Step 6. Click the change authorization data icon

Step 7. In the Change role: Authorizations screen, click the add Manually button (Figure 5)

Step 8. Enter AI_SA_TAB as the authorization object and press the Enter key

Figure 5

Add the authorization object to the role

Step 9. Expand the structure fully by selecting the structure name Z_BPH_STRUC_MAIN and then clicking the expand all icon

Step 10. Turn on technical names to help you find the Authorization Objects and Field Names by following menu path Utilities > Technical names on (Figure 6)

Figure 6

Turn on technical names

Step 11. Set the field value Activity (ACTVT) to 02. You can do this by double-clicking the Activity field to prompt.

Step 12. Set the field value for Tab in SAP Solution Manager (TABNAME) to STRUCT and PRODATA (Figure 7). This gives the user change authorization to the Structure and Administration tabs.

Figure 7

Set the appropriate field values

Step 13. Set the field value of Transaction Type in SAP Soluti… (TRANSTYPE) to 1 (Figure 8). You can also control the configuration structure and test project structure here, but this is beyond the scope of this article.

Figure 8

Activate Business Blueprint structure maintenance authorization in a new role

Your role is now ready to assign to users. You can use authorization object S_PROJECT to control user access to SAP Solution Manager projects. One very important activity called 78 — Assign drives the authorization to maintain the project structure. Activity 78 governs who can assign team members to a BPH on the Administration tab. Double-click the field ACTVT to open a pop-up dialog where you can un-check the check box by 78 — Assign (Figure 9). You don’t want users without authorization to change the project scope or have the ability to assign team members to structure nodes. Switching 78 off disables their ability to assign users to the structure on the Administration tab.

Figure 9

Assign activity authorization in authorization object S_PROJECT

Save and generate this new role. Then, assign this role to the users authorized to maintain the BPH structure. This is beyond the scope of this article, but you can work with your security team to assign roles to users. Keep in mind that the combination of the removal of activity 78 from S_PROJECT and the addition of activity 02 in AI_SA_TAB – TABNAM = STRUCT is for the team members only. Team leads with the authority to assign team members to particular areas of the BPH need activity 02 in AI_SA_TAB, TABNAM = STRUCT, activity 02 in AI_SA_TAB, TABNAM = PRODATA, and activity 78 in S_PROJECT. You can refer to Tables 1 and 2 at the end of this article for a full list of the combination of authorization objects for project team members and team leads.

At this point, the use of the S_PROJECT authorization object may not make much sense to you. You might be wondering why control over project-level authorizations is required when you want to control the scope within the project. However, in the next section, you’ll see how it comes into play. The combination of AI_SA_TAB, TABNAM = STRUCT and S_PROJECT, with ACTVT = 78 activates the BPH structure maintenance control feature.

Assign Users to Structures They Can Maintain

Once the user profiles have been maintained, you don’t need to contact the security team anymore because the rest is done in transaction SOLAR01. You’ve already switched on the global activation of the authorization check and granted the appropriate users authorization to maintain the BPH structure. But how can you control which parts of the structure can be changed by individual team members? Herein lies the real power of this feature. After all, what’s the point of change control if it’s not granular? 

Once a project goes under scope control, it’s often the case that the scope of individual teams becomes somewhat territorial. SAP Solution Manager allows you to control which team members can edit which structure elements and at which level they can change them.

For example, assume you have a very large project team — your order-to-cash (OTC) has more than 100 members. Consequently, sub-teams are created around the individual processes within the OTC end-to-end process stream. The OTC team might be divided into Order Management, Delivery Processing, and Invoice Processing sub-teams. Each of these sub-teams have leads that are accountable for delivering their team’s scope, so they want to be in control of that scope.

The team lead would want to assign specific team members the authority to maintain the BPH structure for their team. To do this, the team lead would assign the team member(s) to the Team Member list on the Administration Tab on the BPH structure (Figure 10).

Note that you can assign team members at the Scenario Level, Process Level, and the Step Level. The team members only have authority to change the structure nodes for the nodes to which they are assigned.

Here are the steps to follow:

Step 1. Enter transaction SOLAR01

Step 2. Select your project

Step 3. Navigate to the scenario where you wish to grant change control to a team member

Step 4. Click the Administration tab

Step 5. In the Team Member’s sub-tab, enter the team members to whom you wish to grant the authority to change the structure (Figure 10). The insert icon  is used to add new team members in this tab.

Figure 10

Assign team members to the business process to allow for step scope changes

Because a team member can only change the Structure tab for the nodes to which they’ve been assigned, maintaining a large structure with the team member assignments could become quite tedious. Fortunately, SAP has added a handy button to the team member maintenance window. The make mass change icon  performs a cascade assignment to all subordinate nodes of the structure. If you use this button to assign a team member at the Scenario level node, the team member is assigned to all subordinate Processes and Steps in the scenario. This speeds maintenance significantly.

How It All Comes Together

Now I’ll give you a step-by-step example of how this all works together. I will log in as a user without authorization to edit the structure in the OTC scenario as if I’m new to the team. Then my team lead will assign me to the structure as someone authorized to make changes. Finally, I’ll make an approved structure change.

Figure 11 shows the error message informing me (i.e., test user ZBPHSTRUC) that I’m not authorized to make changes to the Structure tab. The test user is not assigned on the Administration Tab.

Figure 11

Authorization block for user ZBPHSTRUC

Figure 12 shows the Administration tab for the same structure node. The absence of user ZBPHSTRUC is why I saw the message displayed in Figure 11.

Figure 12

Administration tab on the BPH node (note the absence of team member and user ZBPHSTRUC)

Next, the team lead logs in and assigns the new team member, ZBPHSTRUC, to the Administration tab (Figure 13). Remember that user ZBPHSTRUC must also be assigned to the project in SOLAR_PROJECT_ADMIN as described earlier (Figure 2).

Figure 13

User ZBPHSTRUC added to the Administration tab by the team lead

As a result, user ZBPHSTRUC is able to maintain the structure elements only on this process node. Figure 14 shows user ZBPHSTRUC able to edit the Structure tab for the OTC business processes. Figure 15 shows the same user unable to maintain the Upgrade of SAP Solutions scenario. When users try to maintain this particular BPH node, they see an authorization error.

Figure 14

The user is able to maintain the OTC business processes

Figure 15

User ZBPHSTRUC is still not authorized to maintain the Upgrade of SAP Solutions scenario

Tips on Scope Control

Scope control is one of the most powerful influences on timeline and cost for SAP projects. Using SAP Solution Manager’s security controls, you can precisely customize who has control over setting and changing project scope.

I covered two main project roles in this article: the team member and the lead who needs to manage the scope of his team. To enable this, I used transaction SOLAR_PROJECT_ADMIN to assign the team members to the project and activate the BPH structure node authorizations. Then, these authorizations were maintained to limit team members’ access. The effects of these features were demonstrated in the example of a new team member being granted access to change the BPH structure. Table 1 contains a full summary of the authorizations and transactions used to deliver this capability. Table 2 shows the combinations of authorizations by project job role.

Table 1

Transaction and authorization object summary

Table 2

Authorizations by project job role

D. Russell Sloan

D. Russell Sloan is a specialist in project and program governance for IBM. He focuses on the use of SAP Solution Manager for global rollout projects for IBM’s largest customers, having worked with SAP software since 1996. Russell has degrees in accounting and information systems and has been a team and project leader for SAP projects for more than 14 years. He has been developing and deploying software systems for over 30 years.

You may contact the author at solmanruss@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.